NIS2 Directive Explained: What SMBs Need to Know in 2026

The NIS2 Directive (Directive (EU) 2022/2555) is the most significant cybersecurity legislation the European Union has ever enacted. It replaces the original NIS Directive from 2016, dramatically expanding its scope, tightening requirements, and introducing personal liability for management. If your organization operates in the EU, you need to understand what NIS2 means for your business.

What changed from NIS1 to NIS2?

The original NIS Directive was the EU's first attempt at harmonizing cybersecurity across member states. It covered around 7 sectors and an estimated 15,000 organizations. It was a good start, but implementation was inconsistent — different member states applied different thresholds, leading to fragmentation.

NIS2 fixes these problems. It now covers 18 sectors and an estimated 160,000+ organizations across the EU. The directive introduces uniform size thresholds (generally 50+ employees or €10M+ turnover in covered sectors), stricter incident reporting timelines, mandatory supply chain security measures, and — most notably — personal accountability for management body members.

Who does NIS2 apply to?

NIS2 divides covered organizations into two categories with different oversight regimes:

Essential Entities are subject to proactive supervision — meaning authorities can audit and inspect them at any time, not just after an incident. These include organizations in energy (electricity, oil, gas, hydrogen), transport (air, rail, water, road), banking and financial market infrastructure, health (hospitals, labs, pharmaceutical manufacturing), drinking water, wastewater, digital infrastructure (DNS, TLD registries, cloud providers, data centres, CDNs, trust services), ICT service management (B2B), public administration, and space.

Important Entities face reactive (ex-post) supervision — authorities get involved after an incident or evidence of non-compliance. These include postal and courier services, waste management, chemicals, food production and distribution, manufacturing (medical devices, computers, electronics, machinery, vehicles), digital providers (marketplaces, search engines, social networks), and research organizations.

The general size threshold is medium-sized or larger — 50+ employees or €10M+ annual turnover. However, some entities are covered regardless of size, including DNS providers, TLD registries, cloud computing services, and public telecommunications networks.

Not sure if NIS2 applies to you? Use our free NIS2 Readiness Assessment — it starts with a screening step that checks your sector, size, and EU operations.

The 10 key requirements

NIS2 Article 21 sets out minimum cybersecurity risk management measures. These are not suggestions — they are legal obligations:

1. Risk analysis and information system security policies — You must have a documented risk management framework covering all network and information systems. This includes regular risk assessments, defined risk treatment approaches, and policies approved by management.

2. Incident handling — Perhaps the most impactful requirement. You must submit an early warning to your CSIRT or competent authority within 24 hours of becoming aware of a significant incident, a detailed notification within 72 hours, and a final report with root cause analysis within one month.

3. Business continuity and crisis management — Backup management, disaster recovery procedures, and crisis management processes must be in place and tested. This goes beyond IT — it covers the entire organization's ability to continue operating during a cybersecurity incident.

4. Supply chain security — You must address security risks in your relationships with direct suppliers and service providers. This includes contractual security requirements, supplier assessments, and ongoing monitoring. Supply chain attacks have become a primary concern, and NIS2 reflects this.

5. Security in network and information systems acquisition, development, and maintenance — Including vulnerability handling and disclosure.

6. Policies and procedures to assess cybersecurity measures — You need mechanisms to evaluate whether your security controls are actually working.

7. Basic cyber hygiene practices and cybersecurity training — All employees must receive security awareness training. Management body members must undergo specific cybersecurity training.

8. Cryptography and encryption policies — Where appropriate, you must implement encryption for data at rest and in transit.

9. Human resources security, access control policies, and asset management — Least privilege access, regular reviews, and comprehensive asset inventory.

10. Multi-factor authentication and secured communications — MFA for remote access and administrative functions, plus secured voice, video, and text communications within the entity.

Management liability — the game changer

Under NIS2 Article 20, management bodies must approve cybersecurity risk management measures and oversee their implementation. They can be held personally liable for non-compliance. For essential entities, competent authorities can even impose temporary bans from exercising managerial functions.

This transforms cybersecurity from an IT concern to a board-level obligation. Management body members who delegate cybersecurity without oversight are personally at risk. The directive also requires that management undergo cybersecurity training — a clear signal that "I didn't understand the risks" is not an acceptable defense.

Penalties

NIS2 introduces GDPR-scale penalties. Essential entities face fines of up to €10 million or 2% of total worldwide annual turnover (whichever is higher). Important entities face up to €7 million or 1.4% of turnover. Beyond fines, authorities can issue binding instructions, order audits, and for essential entities, suspend certifications.

Timeline and current status

NIS2 entered into force on 16 January 2023. EU member states were required to transpose it into national law by 17 October 2024. Transposition progress has varied — some member states met the deadline, while others are still finalizing their national legislation. Regardless of national transposition status, the directive's requirements represent the standard organizations should be working toward.

By April 2025, member states must establish the list of essential and important entities. If you operate in a covered sector and meet the size thresholds, assume NIS2 applies to you and begin preparing now.

How to start your NIS2 compliance journey

Step 1: Determine if NIS2 applies. Check your sector, size, and EU operations against the criteria above. Our NIS2 Readiness Assessment automates this screening.

Step 2: Conduct a gap assessment. Evaluate your current security posture against NIS2's 10 requirements. Identify what you already have in place and where the gaps are. Our readiness tool assesses you across all domains, or use the detailed NIS2 Compliance Starter Kit with 82 individual controls.

Step 3: Prioritize gaps. Not all gaps are equal. Focus first on incident response (the 24-hour timeline is unforgiving), governance (management liability is immediate), and supply chain security (your vendors may need time to come into compliance).

Step 4: Build your remediation roadmap. Create a 30/60/90-day plan with clear owners, budgets, and milestones. Present this to your management body — their formal approval is itself a NIS2 requirement.

Step 5: Implement and document. NIS2 compliance is not a one-time project. Implement your security measures, document everything, and establish ongoing monitoring and review processes. Use our Security Policy Generator to create the foundational documents you need.

The organizations that start now will be well-positioned as enforcement ramps up. Those that wait risk penalties, reputational damage, and the much higher cost of reactive compliance under pressure.